Hi Rob, thanks a lot for the enlightening remarks. > You can only have one 192.168.10.0/24 subnet. If both your NIC's have an > IP from that range, your routing rules will point to both NIC's as > gateway. The first gateway that matches a routing rule is "accepted". > > So, machine A : > eth0: 192.168.10.1 (192.168.10.0/24) > eth1: 192.168.10.2 (192.168.10.0/24) > > Your kernel IP routing table will looke like : > Destination Gateway Genmask Iface > 192.168.10.0 192.168.10.1 255.255.255.0 eth0 > 192.168.10.0 192.168.10.2 255.255.255.0 eth1 > > Say, machine B is connected to eth1 on machine A. Machine A sends a > packet. The first rule matches so it will send that packet via eth0, not > eth1. So machine B will never see the packet. > > Yeah. > If you don't use different subnets on each NIC, I still think you have a > routing problem. > > ========== > > Hi Chinh, I tried interchanging eth0 and eth1 and still no luck. > > No. It won't work if you only allow forwarding from eth1 to eth0 (or > vv). You *also* need the reverse rule (not *instead of*). > > If you do : > $ipt -A FORWARD -i eth1 -o eth0 -j ACCEPT > > And do not accept RELATED,ESTABLISHED, you also need : > $ipt -A FORWARD -i eth0 -o eth1 -j ACCEPT > > But that would be less secure. It's better to accept packets that are > already accepted by another (specific) rule. So, you'd have a rule like > : > $ipt -A FORWARD -m state --state RELATED,ESTABLISHED \ > -j ACCEPT > instead of the one above this. Yes I understand the security issues, but first would like to see that it works at all (accessing the outside world from 'machine B') and then tighten security. > ===== Later post ===== > > And I'm also quite confused about eth0/ppp0, perhaps a related > > issue is that the kernel ip table of 'machine A' is > > > > Destination Gateway Genmask Iface > > 213.191.89.30 * 255.255.255.255 ppp0 > > 192.168.10.0 * 255.255.255.0 eth1 > > 192.168.10.0 * 255.255.255.0 eth0 > > 169.254.0.0 * 255.255.0.0 eth0 > > default 213.191.89.30 0.0.0.0 ppp0 > > Ah.. I never saw anything about you using a ppp0 device before... From > your diagram I thought the modem(/router ?) was doing NAT also... > In that case, yes : you need MASQUERADE. Well, that's only because of my not understanding how things work :) > I think that your routing table shows the routing problem I'm talking > about. > If a packet gets sent to 192.168.10.100, you don't know via which NIC > it's going out, eth0 or eth1, because there are 2 rules for the same > subnet via different interfaces. > (I'm not sure if the routing table is showing the routes in processing > order.) Okay, so it's a routing problem. I guess in order to change that and make it right is through the ifcfg-eth0, ifcfg-eth1, ifcfg-ppp0 files, isn't it? At the moment they are (on 'machine A'): DEVICE=eth1 BOOTPROTO=none BROADCAST=192.168.10.255 IPADDR=192.168.10.101 NETMASK=255.255.255.0 NETWORK=192.168.10.0 ONBOOT=yes TYPE=Ethernet GATEWAY=192.168.10.254 DEVICE=eth0 BROADCAST=192.168.10.255 IPADDR=192.168.10.105 NETMASK=255.255.255.0 NETWORK=192.168.10.0 TYPE=Ethernet ONBOOT=yes GATEWAY=192.168.10.254 USERCTL=yes BOOTPROTO=dialup NAME=DSLppp0 DEVICE=ppp0 TYPE=xDSL ONBOOT=yes PIDFILE=/var/run/pppoe-adsl.pid FIREWALL=MASQUERADE PING=. PPPOE_TIMEOUT=80 LCP_FAILURE=3 LCP_INTERVAL=20 CLAMPMSS=1412 CONNECT_POLL=6 CONNECT_TIMEOUT=60 DEFROUTE=yes SYNCHRONOUS=no ETH=eth1 PROVIDER=DSLppp0 USER=02024784362 PEERDNS=yes DEMAND=no PERSIST=no So I need to modify the NETWORK and GATEWAY parameters for eth0 and/or eth1?
